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@ Fault tolerant smart card. 

@ A fault tolerant smart card (10) is provided liav- 
ing primary functional units including a standard ISO 
Interface (12). a first microcontroller (14), a clock (22, 
26), and main memory (16. 18. 20). Secondary func- 
tional units including a secondary microcontroller 
(30), secondary memory (32) with bit ciiecl<ing capa- 
bility (34) and an alternate battery power source (28) 
are also provided. A microcontroller error detector 
(36) is connected to both microcontrollers (14, 30). 
Should a discrepancy between microcontrollers (14, 
30) occur known test patterns are run on the second 
microcontroller (30) to determine which microcontrol- 
ler is faulty. A private access port (44) provides 
alternate access to information stored in the fault 

^tolerant smart card (10). Registers for funds remain- 
ing (38), error condition (42) and access account (40) 

2 are also provided. 
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FAULT TOUERANT SMART CARD 



TECHNICAL FIELD 



The present invention relates to a fault tolerant 
smart card and, more specifically, to a fault tolerant 
smart card which may find particular application In 
the postage meter industry. 



BACKGROUND AND OBJECTS OF THE INVEN- 
TION 



Integrated circuit or so-called "intelligent*' or 
"smart" cards which include a microprocessor and 
memory are commercially available and are useful 
in many applications. Of Increasing Importance is 
the ability of smart cards to securely transport 
monetary funds, including transportation of postal 
funds or information relating to postage funds. See. 
for example. U.S. application serial no. 
(attorney docket C-343) entitled "Postal Charge 
Accounting System" wherein departmental postage 
meter use information is stored in smart card mem- 
ory, and U.S. application serial no. (attorney 
docket C-341) entitled "Postage Meter Value Card 
Systerfi" wherein postage meter funds are trans- 
ferred from a value c^d center to a postage meter 
for recharging the postage meter vault 

Given the increasing Importance of information 
stored in smart card memory, the adverse effects 
of a malfunctioning smart card can be quite costly. 
Therefore, it would be highly desirable to provide a 
smart card having increased reliability. It would 
also be highly desirable to provide a smart card 
which may be accessed by service personnel even 
were a card malfunction to occur. In this manner, 
monetary funds stored in the card would not be 
"lost" due to card malfunction. 

Therefore, it is an object of the present inven- 
tion to provide an improved smart card. 

It is another object of the invention to provide a 
fault tolerant smart card. 

It is yet another object of the invention to 
provide access to information retained in memory 
of a smart card which suffers a malfunction. 

These and other highly desirable objects and 
advantages are obtained in a convenient yet secure 
fault tolerant smart card. 

Objects and advantages of the invention are 
set forth in part herein and in part will be obvious 
herefrom, or may be learned by practice with the 
invention, the same toeing realized and attained by 
means of the instrumentalities and combinations 
pointed out in the appended claims. 



SUMMARY OF THE INVENTION 



In accordance with the present invention a fault 

5 tolerant smart card is provided having primary 
functional units including a standard ISO interface, 
a primary microcontroller, main memory including 
ROM, RAM and EEPROM, a clock generator and a 
power source. In addition to its normal smart card 

10 functions the primary microcontroller addresses an 
access account register and a microcontroller fault 
detector which, in tum. addresses an exception 
register. Secondary smart card functional units are 
provided Including a secondary microcontroller, 

75 secondary memory which may include ROM and 
associated check bits, a funds remaining shadow 
register, the access account register, the microcon- 
troller fault detector, and the exception condition 
register. A private access port is also provided. All 

20 of the secondary units requiring power support are 
connected to an altemate battery power source. 
The secondary microcontroller Is connected to the 
primary and secondary clock units, the microcon- 
troller fault detector and the funds remaining regis- 

25 ter. The secondary microcontroller addresses th 
.secondary memory and has read-only access to 
the main memory. 

In normal operation the primary and secondary 
microcontrollers operate synchronously and ex- 

30 ecute in parallel identical instructions from the 
same memory store, but with tiie secondary micro- 
controller having read-only access to the main 
memory. 

Should the microcontroller fault detector sens 

35 a fault in either of the main or secondary microcon- 
trollers, as evidenced by an inconsistency between 
microcontroller signals, the exception register will 
be written into. \A^en this occurs the primary 
microcontroller will be maintained in a frozen state 

40 and the secondary microcontroller will be released 
from the main memory to address the secondary 
memory and run known test patterns. Should a 
fault occur during the test the secondary microcon- 
troller is assumed to be faulty and the main micro- 

45 controller will be permitted to continue processing. 
Of course, the user might be notified that card 
service and/or replacement is required. 

On the other hand, if no error occurs during the 
test then the main microcontroll r is assumed to be 

50 faulty, the card remains inoperable, and the user is 
notified by an appropriate flag that a card fault 
condition exists. 

Advantageously, the private access port per- 
mits service personnel to directiy access the s c- 
ondary microcomroller, the funds remaining regis- 
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ter. the access account register and the exception 
condition register. Service personnel might also 
make use of the secondary microcontroller, such 
as to access in read-only fashion the main mem- 
ory. In the preferred embodiment including checic 
bits the check bits would detect and circumvent 
any single bit failure in the secondary memory. 

Thus, it will readily be appreciated that the fault 
tolerant smart card according to the present inven- 
tion advantageously provides, a smart card capable 
of detecting and circumventing a single bit or sin- 
gle path failure. Notwithstanding such a failure, the 
fault tolerant smart card remarkably provides 
**t>ack-door'' access through a private access port 
to Important information held in the smart card. 
Advantageously, the person acquiring access 
through the private access port is able to deter- 
mine the amount of any funds remaining in the 
card and access other important information in the 
card main memory. As a further advantage of the 
present invention the primary functional units com- 
municate via the standard ISO interface in a tradi- 
tional manner. Therefore, the fault tolerant smart 
card in accordance with the invention may be used 
in conjunction with existing, unmodified equipment 
By way of example only, the fault tolerant smart 
card according to the present invention may find 
particular application in the systems disclosed In 
the aforementioned patent applications. 

it will be understood tiiat the foregoing general 
description as well as tiie following detailed de- 
scription are exemplary and explanatory of the 
invention but are not restrictive tiiereof. 



BRIEF DESCRIPTION OF THE DRAWINQ 



The accompanying drawing, referred to herein 
and constituting a part hereof, illustrates in sche- 
matic block diagram form the prefenred embodi- 
ment of a fault tolerant smart card In accordance 
with the present invention. 



DETAILED DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 



Refening now to the drawing, labelled as Rg- 
ure 1, there Is shown a schematic block diagram 
illustration of the fault tolerant smart card 10 in 
accordance with the invention. As shown, smart 
card 10 includes a set of primary functional units 
including a standard ISO type interface 12. a 
microcontroller unit 14, addressable read-only 
memory (ROM) 18, random access memory (RAM) 
18, electronically erasable programmabl read-only 



memory (EEPROM) 20, primary and secondary 
clock generators 22. 26, respectively, and a pri- 
mary power source 24. The prefenred General 
Electric smart card refenred to in tiie aforemen- 

5 tioned patent applications derives power through 
the ISO interiace. as shown, but an external pri- 
mary power supply is not critical to the present 
invention. The foregoing elements, interconnected 
as shown, comprise the primary functional units for 

10 carrying out normal operation of the smart card. 

in addition, secondary functional units are pro- 
vided for fault tolerant card support. The secondary 
units include a second clock generator 26 con- 
nected to an aitemate battery power source 28 and 

75 to both microcontrollers 14, 30. The secondary 
microcontroller is connected to secondary memory 
32, a microcontroller fault detector 36, and a funds 
remaining shadow register 38. Preferably, ch ck 
bits 34 are provided in association with secondary 

20 memory 32 to monitor single bit failures within the 
secondary memory. As shown, the secondary 
microcontroller is connected in an addressabi 
manner to ROM 32 and to funds remaining regist r 
38. Secondary microcontroller 30 is also connected 

25 to a private access port 44 and has read-only 
access to main memory 20. Secondary microcon- 
troller 30 is supported by primary power sourc 24 
and aitemate battery source 28. An access account 
register 40 and an exception condition register 42 

30 addressed by the microcontroller fault detector ar 
also provided. Each of funds remaining register 38, 
access account register 40, and exception con- 
dition register 42 are also connected to private 
access port 44 and are supported by battery 

35 source 28. Secondary memory 32 is also sup- 
ported by battery source 28 and is connected to 
exception condition register 42. Access account 
register 40 is addressed by primary microcontroller 
14 and is written into after each card use to main- 

40 tain a history trace of tiie identity of the user, tiie 
memory address accessed, and tiie information 
stored at tiiat address. 

So constructed, the present smart card circuit 
provides detection and circumvention of single bit 

45 and single path smart card faults. During normal 
operation both microcontrollers 14. 30 work in a 
synchronous mode of operation to execute in par- 
allel identical instructions from the same memory 
store. After each transaction secondary microcon- 

50 troller 30 updates funds remaining register 38 to 
provide a running summary of the funds that re- 
main stored in the card. 

Should a discrepancy occur between the main 
and secondary microcontrollers the microcontroller 

55 fault detector, here shown as exclusive "OR" gate 
36, would trigger a high output signal, thereby 
writing into exception condition register 42. If the 
exception register 42 is written into, program in- 
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formation in secondary memory 32 will direct sec- 
ondary microcontroller 30 to release main memory 
16, 18. 20 and run known test patterns stored in 
secondary memory 32. During this time main 
microcontroller 14 remains in a frozen state. Should 
a fault occur during the test, secondary processor 
30 is assumed to be faulty and main processor 14 
is permitted to continue processing. However, if no 
faults are found during the known test pattern, the 
main processor 14 is assumed to be faulty and the 
user Is notified of a fault condition. Thereafter, 
information access is limited to proprietary inter- 
face 44. which is preferably available only to ser- 
vice personnel. Notwithstanding a main processor 
fault, service personnel may access each of the 
funds remaining register 38, access account regis- 
ter 40, and exception register 42 through private 
access port 44. Main memory 16, 18. 20 might also 
be accessed through port 44 if secondary micro- 
controller 30 remains viable. In this regard, secon- 
dary memory 32 is preferably provided with asso- 
ciated check bits, sometimes referred to as 
"Hemming Bits", to circumvent any bit failures 
within secondary memory 32. 

Thus, the fault tolerant smart card according to 
the invention substantially eliminates the risk that, 
funds and/or accounting information stored in the 
card will be tost due to card failure. Indeed, should 
a card failure occur, service personnel may simply 
access the remaining funds amount and other in- 
formation held in main memory and transfer this 
information to a new smart card or other recording 
medium. In this manner the customer is assured 
that monetary funds and information will not be 
compromised due to a smart card malfunction. As 
will be readily appreciated, this capability will avoid 
the deleterious effects to customer relations that 
might otherwise result from such card failures. 

Thus, the fault tolerant smart card according to 
the present invention advantageously detects smart 
card failures and, notwithstanding such a failure, 
permits private access to important information 
stored in the faulty card. 

To the extent not already indicated, it will be 
understood that the Invention in its broader aspects 
is not limited to the specific embodiments herein 
shown and described but departures may be made 
therefrom within the scope of the accompanying 
claims, without departing from the principles of the 
invention and without sacrificing its chief advan- 
tages. 



Claims 

1. A fault tolerant smart card (10) comprising: 
a standard input-output interface (12); 
clock means (22, 26) for providing a time reference 



during smart card operations; 
main memory means (16, 18, 20) for storing pro- 
gram and data information; 

first microcontroiler means (14) connected to said 
5 interface (12), said clock means (22, 26) and said 
main memory means (16, 18, 20) for performing 
normal smart card functions; 
secondary microcontroller means (30) connected to 
said first microcontroller means (14), said clock 
10 means (22, 26), said main memory means (16, 18. 
20) and to secondary memory means (32) for per- 
forming nonmal smart card functions in synchro- 
nization with said first microcontroller means (14); 
microcontroller error detection means (36) connect- 
75 ed to said first microcontroller means (14) and said 
secondary microcontroller means (30) for detecting 
a failure of either of said first or secondary micro- 
controllers (14, 30): and 

primary power supply means (24) connected to 

20 said first microcontroller means (14). 

2. The fault tolerant smart card (10) according 
to claim 1 wherein said secondary microcontroli r 
means (30) has read-only access to said main 
memory means (16. 18, 20). 

as 3. The fault tolerant smart card (10) according 

to claim 1 wherein said clock means (22, 26) 
further comprise a primary clock (22) and a secon- 
dary clock (26). said secondary clock (26) being 
connected to a secondary battery power means 

30 (28). 

4. The fault tolerant smart card (10) according 
to claim 1 further comprising an access account 
register (40) connected to and addressed by said 
first microcontroller means (14) for providing a his- 

35 tory trace of user identity and memory locations 
addressed by prior users. 

5. The fault tolerant smart card (10) according 
to claim 1 wherein said secondary memory (32) 
further comprises read-only memory (32) including 

40 programming for running one or more known test 
patterns on said second microcontroiler (30). 

6. The fault tolerant smart card (10) according 
to claim 5 wherein said secondary memory pro- 
gramming is activated by said microcontroller error 

45 detection means (36) upon detection of a failure in 
either of said first or second microcontroller means 
(14. 30). 

7. The fault tolerant smart card (10) according 
to claim 6 wherein, upon indication of a microcon- 

50 troller failure by said microcontroller error detection 
means (36), said first microcontroller (14) is main- 
tained in a frozen state while said secondary micro- 
controller (30) runs said known test patterns. 

8. The fault tolerant smart card (10) according 
55 to claim 7 wherein, should an error occur in said 

known test patterns, said secondary microcontroller 
(30) is assumed to be faulty and said first micro- 
controller (14) is permitted to continue processing. 
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9. The fault tolerant smart card (10) according 
to claim 7 wherein, should no enror occur In said 
known test patterns, said first microcontroller (14) 
is assumed to be faulty and card failure is in- 
dicated to the user. 

10. The fault tolerant smart card (10) according 
to claim 9 further comprising private access port 
means (44) connected to said second microcontrol- 
ler means (30) for permitting service access to the 
fault tolerant smart card (10). 

11. The fault tolerant smart card (10) according 
to claim 10 further comprising a funds remaining 
register (38) connected to said second microcon- 
troller (30) and further connected to and accessible 
through said private access port means (44) for 
indicating a remaining amount of funds stored in 
the fault tolerant smart card (10). 

12. The fault tolerant smart card (10) according 
to claim 10 further comprising access account 
means (40) connected to said first microcontroller 
means (14) and connected to and accessible 
through said private access port means (44) for 
providing a history trace of user identity memory 
locations addressed by prior users. 

13. The fault tolerant smart card (10) according 
to daim 11 wherein said secondary microcontroller 
(30), said secondary memory (32), and said funds 
remaining register (38) are connected to a secon- 
dary battery power source (28). 

14. The fault tolerant smart card (10) according 
to claim 12 wherein said secondary microcontroller 
(30), said secondary memory (32) and said access 
account means (40) are connected to a s^ondary 
battery power source (28). 

15. The fault tolerant smart card (10) according 
to claim 10 further comprising checking bit means 
(34) associated with said secondary memory (32) 
for detecting and circumventing single bit or single 
path failures within said secondary memory (32). 

16. The fault tolerant smart card (10) according 
to claim 1 wherein said microcontroller error detec- 
tion means (36) further comprise an exclusive 
"OR** gate (36) furnished with the output signal of 
each of said first and second microcontrollers (14, 
30), said exclusive "OR" gate (36) being triggered 
to produce an error signal should a discrepancy 
occur between said microcontroller output signals. 

17. A fault tolerant smart card (10) comprising: 
a standard input-output interface (12); 

clock means (22, 26) for providing a timer refer- 
ence during smart card operations; 
main memory means (16, 18, 20) for storing pro- 
gram and data information; 

first microcontroller means (14) connected to said 
interface (12), said clock means (22. 26) and said 
main memory means (16, 18, 20) for perfomning 
normal smart card functions: 
secondary microcontroller means (30) connected to 



said first microcontroller means (14), said clock 
means (22, 26), said main memory means (16, 18, 
20) and to secondary memory means (32), said 
secondary microcontroller means (30) performing 

5 normal smart card functions in synchronization with 
said first microcontroller means (14), 
microcontroller error detection means (36) connect- 
ed to said first and secondary microcontroller 
means (14, 30) for detecting a discrepancy be- 

70 tween said first and secondary microcontroller 
means (14. 30); and private access port means (44) 
connected to said secondary microcontroller (30) 
for providing private access to the fault tolerant 
smart card (10). 

IS 18. The fault tolerant smart card (10) according 
to claim 17 wherein, upon detection of an error by 
said microcontroller error detection means (36), 
said first microcontroller (14) Is maintained in a 
frozen state and said secondary microcontroller 

20 (30) is released from said main memory means 
(16. 18, 20) to run known test patterns under the 
direction of said secondary memory means (32). 

19. The fault tolerant smart card (10) according 
to claim 18 wherein, should an error occur during 

25 said known test pattems. said secondary microcon- 
troller (30) will be assumed faulty and said first 
microcontroller (14) will be permitted to continue 
processing. 

20. The fault tolerant smart card (10) according 
30 to claim 18 wherein, sihould no error occur during 

said known test pattems, said first microcontroller 
(14) is assumed faulty and a faulty card signal is 
transmitted to the user. 

21. The fault tolerant smart card (10) according 
35 to claim 20 wherein said private access port (44) 

permits access to infonmation contained in said 
main memory means (16, 18. 20). 

22. The fault tolerant smart card (1 0) according 
to claim 21 further comprising a funds remaining 

40 register (38) connected to said secondary micro- 
controller (30) and said private access port means 
(44) for storing infonmation relating to availble funds 
remaining within the fault tolerant smart card (10). 

45 
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0 Fault tolerant smart card. 



@ A fault tolerant smart card (10) is provided hav- 
ing primary functional units including a standard ISO 
interface (12). a first microcontroller (14), a clock (22, 
26). and main memory (16, 18. 20). Secondary func- 
tional units including a secondary microcontroller 
(30), secondary memory (32) with bit checking capa- 
bility (34) and an alternate battery power source (28) 
are also provided. A microcontroller error detector 
(38) is connected to both microcontrollers (14, 30). 



Should a discrepancy between microcontrollers (14, 
30) occur known test patterns are run on the second 
microcontroller (30) to determine which microcontrol- 
ler Is faulty. A private access port (44) provides 
alternate access to information stored in the fault 
tolerant smart card (10). Registers for funds remain- 
ing (38), error condition (42) and access account (40) 
are also provided. 
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